Project

General

Profile

Wiki » History » Revision 21

Revision 20 (tsaitgaist, 08/13/2018 04:43 PM) → Revision 21/44 (laforge, 08/26/2018 10:12 AM)

h1. Osmocom SIMtrace 2 

 {{>toc}} 

 Osmocom SIMtrace 2 is a software, firmware and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone, and remote SIM operation. 
 While it was designed for SIM-ME communication, it supports all ISO 7816 smart-cards using the T=0 protocol (the most common case). 

 It is a followup of the "SIMtrace project":/projects/simtrace/wiki, providing more functionalities (e.g. remote SIM operation) and supporting multiple boards (e.g. SIMtrace with SAM3S, "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html). 

 h2. Hardware 

 The SIMtrace 2 firmware supports several boards. 
 The firmware is written for an "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller. 

 Note: The SAM3S is meanwhile labelled as _not recommended for new designs_ by Atmel. However, there are plenty of hardware and software compatible upgrade options, including SAM4S. The upgrade is possible in the future. 

 h3. SIMtrace v2 

 !{width:20%}simtrace-board-mini.jpg! 

 The main purpose of this board is to sniff the communication between a phone and a SIM card (or any card reader and smart-card). 

 This is the same circuit board as the previous "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware, with the exception that the "ATSAM3S4B":https://www.microchip.com/wwwproducts/en/ATSAM3S4B micro-controller replaces the old "AT91SAM7S64":https://www.microchip.com/wwwproducts/en/AT91SAM7S64. Since the SAM3S is pin compatible with the SAM7S, any SIMtrace v1 board can be converted into a SIMtrace v2 board simply by replacing the micro-controller. 

 Note: This hardware is "open source":https://git.osmocom.org/simtrace/tree/hardware. 

 h3. sysmoQMOD 

 !{width:25%}sysmoqmod.png! 

 The SAM3S micro-controller with SIMtrace 2 firmware is also used on the "sysmoQMOD":https://www.sysmocom.de/products/sysmoqmod/index.html board to provide remote SIM operation capabilities. 

 Note: This hardware is not open source. 

 h2. Firmware 

 The SIMtrace 2 firmware source code is available in "git":https://git.osmocom.org/simtrace2/. 
 Pre-built firmware binaries are available "here":http://ftp.osmocom.org/binaries/simtrace2/firmware/. 
 The firmware are currently under active development and we recommend to [[Flashing|flash]] the new firmware images to profit from the latest bug fixes and added functionalities. 

 The SIMtrace 2 firmware is a complete rewrite and *can only be flashed on hardware with SAM3S* ARM Cortex-M3-based micro-controllers. 
 *The SIMtrace 2 firmware is not compatible with the older "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Hardware using SAM7S ARM7TDMI-based micro-controllers.* 

 h3. trace 

 The trace application firmware allow to sniff the communication between a phone and a SIM card (or any card reader and smart-card). 
 It is intended for the [[Wiki#SIMtrace v2|SIMtrace v2 hardware]] and its function is analog to the "SIMtrace v1":/projects/simtrace/wiki/SIMtrace_Firmware. 

 The sniffing is completely passive. It uses the RST, ATR, PPS (baud rate tested with F/D up to 512/32), and WT (waiting timeout) to properly parse the ISO 7816-3 TPDUs. 
 Currently only the T=0 protocol is supported since this is the most common protocol used (we haven't seen T=1 in use). 

 !{width:25%}simtrace_and_phone.jpg! 

 The application firmware to be flashed using [[Flashing#DFU|DFU]] is "simtrace-trace-dfu.bin":http://ftp.osmocom.org/binaries/simtrace2/firmware/simtrace-trace-dfu.bin. 

 h3. Development 

 To compile the firmware using the source code, or participate in the development, please refer to the instructions provided in the "README":https://git.osmocom.org/simtrace2/tree/firmware/README.txt . 

 h2. Flashing 

 The [[Wiki#Firmware|firmware images]] can be flashed as described [[Flashing|here]]. 

 


 h2. Host PC Software 

 The SIMtrace 2 host PC software are available in the "simtrace2 git":https://git.osmocom.org/simtrace2/. 

 h3. Preconditions 

 [[libosmocore:]] and libusb. 

 to install both packages: 
 <pre> 
 sudo apt-get install libusb-1.0-0-dev libosmocore-dev  
 </code></pre> 

 h3. Compiling it 

 <pre> 
 git clone git://git.osmocom.org/simtrace2.git 
 cd simtrace2/host/ 
 make 
 </pre> 

 h3. Accessing it 

 Add udev rules so to be able to use SIMtrace 2 devices and access the device as non-root user: 
 <pre> 
 # add current user to plugdev group (user needs to re-login for this change to take effect) 
 sudo adduser $USERNAME plugdev 
 # grant access permission to SIMtrace 2 for plugdev group 
 sudo wget -O /etc/udev/rules.d/99-simtrace2.rules https://git.osmocom.org/simtrace2/plain/host/99-simtrace2.rules  
 # reload udev rules 
 sudo udevadm control --reload-rules 
 sudo udevadm trigger 
 </pre> 

 h3. Applications 

 h4. simtrace2-list 

 @simtrace2-list@ allows to list all SIMtrace 2 compatible devices: 
 <pre> 
 ./simtrace2-list 
 USB matches: 1 
	 1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer) 
 </pre> 

 This is useful when you have multiple devices (such as with the [[Wiki#sysmoQMOD]]) and have to specific with device to use by the other applications. 

 h4. simtrace2-sniff 

 This will use the [[Wiki#trace|trace]] firmware and retrieve the sniffed phone-SIM communication. 
 The activity will be shown on the consol output: 
 <pre> 
 ./simtrace2-sniff  
 simtrace2-sniff - Phone-SIM card communication sniffer  
 (C) 2010-2017 by Harald Welte <laforge@gnumonks.org> 
 (C) 2018 by Kevin Redon <kredon@sysmocom.de> 

 Using USB device 1d50:60e3 Addr=4, Path=2-2.3, Cfg=1, Intf=0, Alt=0: 255/1/0 (SIMtrace Sniffer) 
 Entering main loop 
 Card state change: reset hold 
 Card state change: reset release 
 ATR: 3b 9f 96 80 1f c7 80 31 a0 73 be 21 13 67 43 20 07 18 00 00 01 a5  
 PPS: ff 10 96 79  
 PPS: ff 10 96 79  
 Fi/Di switched to 512/32 
 TPDU: a0 a4 00 00 02 3f 00 9f 22  
 TPDU: a0 a4 00 00 02 7f 20 9f 22  
 TPDU: a0 a4 00 00 02 6f 46 9f 0f  
 TPDU: a0 b0 00 00 11 81 43 43 43 20 45 76 65 6e 74 ff ff ff ff ff ff ff 90 00  
 Card state change: reset hold 
 </pre> 

 The TPDU will also be sent the GSMTAP frames to UDP/IPv4 localhost:4729. 
 This also allows to analyze the communication in wireshark using the GSM SIM dissector. 
 !{width:50%}wireshark-sim.png! 

 {{include(cellular-infrastructure:MacroBinaryPackages)}} 
Add picture from clipboard (Maximum size: 48.8 MB)